HyperDbg Debugger
Loading...
Searching...
No Matches
Functions
ValidateEvents.c File Reference

Implementation of debugger functions for validating events. More...

#include "pch.h"

Functions

BOOLEAN ValidateEventMonitor (PDEBUGGER_GENERAL_EVENT_DETAIL EventDetails, PDEBUGGER_EVENT_AND_ACTION_RESULT ResultsToReturn, BOOLEAN InputFromVmxRoot)
 Validating monitor memory hook events.
 
BOOLEAN ValidateEventException (PDEBUGGER_GENERAL_EVENT_DETAIL EventDetails, PDEBUGGER_EVENT_AND_ACTION_RESULT ResultsToReturn, BOOLEAN InputFromVmxRoot)
 Validating exception events.
 
BOOLEAN ValidateEventInterrupt (PDEBUGGER_GENERAL_EVENT_DETAIL EventDetails, PDEBUGGER_EVENT_AND_ACTION_RESULT ResultsToReturn, BOOLEAN InputFromVmxRoot)
 Validating interrupt events.
 
BOOLEAN ValidateEventTrapExec (PDEBUGGER_GENERAL_EVENT_DETAIL EventDetails, PDEBUGGER_EVENT_AND_ACTION_RESULT ResultsToReturn, BOOLEAN InputFromVmxRoot)
 Validating trap exec events.
 
BOOLEAN ValidateEventEptHookHiddenBreakpointAndInlineHooks (PDEBUGGER_GENERAL_EVENT_DETAIL EventDetails, PDEBUGGER_EVENT_AND_ACTION_RESULT ResultsToReturn, BOOLEAN InputFromVmxRoot)
 Validating EPT hook exec (hidden breakpoint and inline hook) events.
 

Detailed Description

Implementation of debugger functions for validating events.

Author
Sina Karvandi (sina@.nosp@m.hype.nosp@m.rdbg..nosp@m.org)
Version
0.7
Date
2023-10-15
Copyright
This project is released under the GNU Public License v3.

Function Documentation

◆ ValidateEventEptHookHiddenBreakpointAndInlineHooks()

BOOLEAN ValidateEventEptHookHiddenBreakpointAndInlineHooks ( PDEBUGGER_GENERAL_EVENT_DETAIL EventDetails,
PDEBUGGER_EVENT_AND_ACTION_RESULT ResultsToReturn,
BOOLEAN InputFromVmxRoot )

Validating EPT hook exec (hidden breakpoint and inline hook) events.

Parameters
EventThe created event object
ResultsToReturnResult buffer that should be returned to the user-mode
InputFromVmxRootWhether the input comes from VMX root-mode or IOCTL
Returns
BOOLEAN
254{
255 UINT32 TempPid;
256
257 //
258 // First check if the address are valid
259 //
260 TempPid = EventDetails->ProcessId;
261
262 if (TempPid == DEBUGGER_EVENT_APPLY_TO_ALL_PROCESSES)
263 {
264 TempPid = HANDLE_TO_UINT32(PsGetCurrentProcessId());
265 }
266
267 //
268 // Check if input is coming from VMX-root or not
269 // If it's coming from VMX-root, then as switching
270 // to another process is not possible, we'll return
271 // an error
272 //
273 if (InputFromVmxRoot && TempPid != HANDLE_TO_UINT32(PsGetCurrentProcessId()))
274 {
275 ResultsToReturn->IsSuccessful = FALSE;
276 ResultsToReturn->Error = DEBUGGER_ERROR_PROCESS_ID_CANNOT_BE_SPECIFIED_WHILE_APPLYING_EVENT_FROM_VMX_ROOT_MODE;
277 return FALSE;
278 }
279
280 //
281 // Check whether address is valid or not based on whether the event needs
282 // to be applied directly from VMX-root mode or not
283 //
284 if (InputFromVmxRoot)
285 {
286 if (VirtualAddressToPhysicalAddressOnTargetProcess((PVOID)EventDetails->Options.OptionalParam1) == (UINT64)NULL)
287 {
288 //
289 // Address is invalid (Set the error)
290 //
291
292 ResultsToReturn->IsSuccessful = FALSE;
293 ResultsToReturn->Error = DEBUGGER_ERROR_INVALID_ADDRESS;
294 return FALSE;
295 }
296 }
297 else
298 {
299 if (VirtualAddressToPhysicalAddressByProcessId((PVOID)EventDetails->Options.OptionalParam1, TempPid) == (UINT64)NULL)
300 {
301 //
302 // Address is invalid (Set the error)
303 //
304
305 ResultsToReturn->IsSuccessful = FALSE;
306 ResultsToReturn->Error = DEBUGGER_ERROR_INVALID_ADDRESS;
307 return FALSE;
308 }
309 }
310
311 //
312 // The event parameters are valid at this stage
313 //
314 return TRUE;
315}
TRUE
#define TRUE
Definition BasicTypes.h:55
FALSE
#define FALSE
Definition BasicTypes.h:54
UINT64
unsigned __int64 UINT64
Definition BasicTypes.h:21
UINT32
unsigned int UINT32
Definition BasicTypes.h:48
DEBUGGER_EVENT_APPLY_TO_ALL_PROCESSES
#define DEBUGGER_EVENT_APPLY_TO_ALL_PROCESSES
Apply the event to all the processes.
Definition Constants.h:617
VirtualAddressToPhysicalAddressByProcessId
_Use_decl_annotations_ UINT64 VirtualAddressToPhysicalAddressByProcessId(PVOID VirtualAddress, UINT32 ProcessId)
Converts Virtual Address to Physical Address based on a specific process id's kernel cr3.
Definition Conversion.c:171
VirtualAddressToPhysicalAddressOnTargetProcess
_Use_decl_annotations_ UINT64 VirtualAddressToPhysicalAddressOnTargetProcess(PVOID VirtualAddress)
Converts Virtual Address to Physical Address based on the current process's kernel cr3.
Definition Conversion.c:258
DEBUGGER_ERROR_PROCESS_ID_CANNOT_BE_SPECIFIED_WHILE_APPLYING_EVENT_FROM_VMX_ROOT_MODE
#define DEBUGGER_ERROR_PROCESS_ID_CANNOT_BE_SPECIFIED_WHILE_APPLYING_EVENT_FROM_VMX_ROOT_MODE
error, the process id cannot be specified while the debugger is in VMX-root mode
Definition ErrorCodes.h:429
DEBUGGER_ERROR_INVALID_ADDRESS
#define DEBUGGER_ERROR_INVALID_ADDRESS
error, invalid address specified for debugger
Definition ErrorCodes.h:63
HANDLE_TO_UINT32
#define HANDLE_TO_UINT32(_var)
Definition MetaMacros.h:39
_DEBUGGER_EVENT_AND_ACTION_RESULT::Error
UINT32 Error
Definition Events.h:425
_DEBUGGER_EVENT_AND_ACTION_RESULT::IsSuccessful
BOOLEAN IsSuccessful
Definition Events.h:424
_DEBUGGER_EVENT_OPTIONS::OptionalParam1
UINT64 OptionalParam1
Definition Events.h:272
_DEBUGGER_GENERAL_EVENT_DETAIL::Options
DEBUGGER_EVENT_OPTIONS Options
Definition Events.h:391
_DEBUGGER_GENERAL_EVENT_DETAIL::ProcessId
UINT32 ProcessId
Definition Events.h:360

◆ ValidateEventException()

BOOLEAN ValidateEventException ( PDEBUGGER_GENERAL_EVENT_DETAIL EventDetails,
PDEBUGGER_EVENT_AND_ACTION_RESULT ResultsToReturn,
BOOLEAN InputFromVmxRoot )

Validating exception events.

Parameters
EventThe created event object
ResultsToReturnResult buffer that should be returned to the user-mode
InputFromVmxRootWhether the input comes from VMX root-mode or IOCTL
Returns
BOOLEAN
140{
141 UNREFERENCED_PARAMETER(InputFromVmxRoot);
142
143 //
144 // Check if the exception entry doesn't exceed the first 32 entry (start from zero)
145 //
146 if (EventDetails->Options.OptionalParam1 != DEBUGGER_EVENT_EXCEPTIONS_ALL_FIRST_32_ENTRIES && EventDetails->Options.OptionalParam1 >= 31)
147 {
148 //
149 // We don't support entries other than first 32 IDT indexes,
150 // it is because we use exception bitmaps and in order to support
151 // more than 32 indexes we should use pin-based external interrupt
152 // exiting which is completely different
153 //
154 ResultsToReturn->IsSuccessful = FALSE;
155 ResultsToReturn->Error = DEBUGGER_ERROR_EXCEPTION_INDEX_EXCEED_FIRST_32_ENTRIES;
156 return FALSE;
157 }
158
159 //
160 // The event parameters are valid at this stage
161 //
162 return TRUE;
163}
DEBUGGER_EVENT_EXCEPTIONS_ALL_FIRST_32_ENTRIES
#define DEBUGGER_EVENT_EXCEPTIONS_ALL_FIRST_32_ENTRIES
Apply to all first 32 exceptions.
Definition Constants.h:629
DEBUGGER_ERROR_EXCEPTION_INDEX_EXCEED_FIRST_32_ENTRIES
#define DEBUGGER_ERROR_EXCEPTION_INDEX_EXCEED_FIRST_32_ENTRIES
error, the index is greater than 32 in !exception command
Definition ErrorCodes.h:75

◆ ValidateEventInterrupt()

BOOLEAN ValidateEventInterrupt ( PDEBUGGER_GENERAL_EVENT_DETAIL EventDetails,
PDEBUGGER_EVENT_AND_ACTION_RESULT ResultsToReturn,
BOOLEAN InputFromVmxRoot )

Validating interrupt events.

Parameters
EventThe created event object
ResultsToReturnResult buffer that should be returned to the user-mode
InputFromVmxRootWhether the input comes from VMX root-mode or IOCTL
Returns
BOOLEAN
179{
180 UNREFERENCED_PARAMETER(InputFromVmxRoot);
181
182 //
183 // Check if the exception entry is between 32 to 255
184 //
185 if (!(EventDetails->Options.OptionalParam1 >= 32 && EventDetails->Options.OptionalParam1 <= 0xff))
186 {
187 //
188 // The IDT Entry is either invalid or is not in the range
189 // of the pin-based external interrupt exiting controls
190 //
191 ResultsToReturn->IsSuccessful = FALSE;
192 ResultsToReturn->Error = DEBUGGER_ERROR_INTERRUPT_INDEX_IS_NOT_VALID;
193 return FALSE;
194 }
195
196 //
197 // The event parameters are valid at this stage
198 //
199 return TRUE;
200}
DEBUGGER_ERROR_INTERRUPT_INDEX_IS_NOT_VALID
#define DEBUGGER_ERROR_INTERRUPT_INDEX_IS_NOT_VALID
error, the index for !interrupt command is not between 32 to 256
Definition ErrorCodes.h:81

◆ ValidateEventMonitor()

BOOLEAN ValidateEventMonitor ( PDEBUGGER_GENERAL_EVENT_DETAIL EventDetails,
PDEBUGGER_EVENT_AND_ACTION_RESULT ResultsToReturn,
BOOLEAN InputFromVmxRoot )

Validating monitor memory hook events.

Parameters
EventThe created event object
ResultsToReturnResult buffer that should be returned to the user-mode
InputFromVmxRootWhether the input comes from VMX root-mode or IOCTL
Returns
BOOLEAN
29{
30 UINT32 TempPid;
31
32 //
33 // First check if the address are valid
34 //
35 TempPid = EventDetails->ProcessId;
36 if (TempPid == DEBUGGER_EVENT_APPLY_TO_ALL_PROCESSES)
37 {
38 TempPid = HANDLE_TO_UINT32(PsGetCurrentProcessId());
39 }
40
41 //
42 // Check if input is coming from VMX-root or not
43 // If it's coming from VMX-root, then as switching
44 // to another process is not possible, we'll return
45 // an error
46 //
47 if (InputFromVmxRoot && TempPid != HANDLE_TO_UINT32(PsGetCurrentProcessId()))
48 {
49 ResultsToReturn->IsSuccessful = FALSE;
50 ResultsToReturn->Error = DEBUGGER_ERROR_PROCESS_ID_CANNOT_BE_SPECIFIED_WHILE_APPLYING_EVENT_FROM_VMX_ROOT_MODE;
51 return FALSE;
52 }
53
54 //
55 // Check whether address is valid or not based on whether the event needs
56 // to be applied directly from VMX-root mode or not
57 //
58 if ((DEBUGGER_HOOK_MEMORY_TYPE)EventDetails->Options.OptionalParam3 == DEBUGGER_MEMORY_HOOK_PHYSICAL_ADDRESS)
59 {
60 //
61 // Validation of a physical address
62 //
63 if (CheckAddressPhysical(EventDetails->Options.OptionalParam1) == FALSE ||
64 CheckAddressPhysical(EventDetails->Options.OptionalParam2) == FALSE)
65 {
66 //
67 // Physical address is invalid (Set the error)
68 //
69
70 ResultsToReturn->IsSuccessful = FALSE;
71 ResultsToReturn->Error = DEBUGGER_ERROR_INVALID_PHYSICAL_ADDRESS;
72 return FALSE;
73 }
74 }
75 else
76 {
77 //
78 // Validation of a virtual address
79 //
80 if (InputFromVmxRoot)
81 {
82 if (VirtualAddressToPhysicalAddressOnTargetProcess((PVOID)EventDetails->Options.OptionalParam1) == (UINT64)NULL ||
83 VirtualAddressToPhysicalAddressOnTargetProcess((PVOID)EventDetails->Options.OptionalParam2) == (UINT64)NULL)
84 {
85 //
86 // Virtual address is invalid (Set the error)
87 //
88
89 ResultsToReturn->IsSuccessful = FALSE;
90 ResultsToReturn->Error = DEBUGGER_ERROR_INVALID_ADDRESS;
91 return FALSE;
92 }
93 }
94 else
95 {
96 if (VirtualAddressToPhysicalAddressByProcessId((PVOID)EventDetails->Options.OptionalParam1, TempPid) == (UINT64)NULL ||
97 VirtualAddressToPhysicalAddressByProcessId((PVOID)EventDetails->Options.OptionalParam2, TempPid) == (UINT64)NULL)
98 {
99 //
100 // Address is invalid (Set the error)
101 //
102
103 ResultsToReturn->IsSuccessful = FALSE;
104 ResultsToReturn->Error = DEBUGGER_ERROR_INVALID_ADDRESS;
105 return FALSE;
106 }
107 }
108 }
109
110 //
111 // Check if the 'to' is greater that 'from'
112 //
113 if (EventDetails->Options.OptionalParam1 >= EventDetails->Options.OptionalParam2)
114 {
115 ResultsToReturn->IsSuccessful = FALSE;
116 ResultsToReturn->Error = DEBUGGER_ERROR_INVALID_ADDRESS;
117 return FALSE;
118 }
119
120 //
121 // The event parameters are valid at this stage
122 //
123 return TRUE;
124}
CheckAddressPhysical
BOOLEAN CheckAddressPhysical(UINT64 PAddr)
Checks if the physical address is correct or not based on physical address width.
Definition AddressCheck.c:120
DEBUGGER_MEMORY_HOOK_PHYSICAL_ADDRESS
@ DEBUGGER_MEMORY_HOOK_PHYSICAL_ADDRESS
Definition DataTypes.h:312
DEBUGGER_HOOK_MEMORY_TYPE
enum _DEBUGGER_HOOK_MEMORY_TYPE DEBUGGER_HOOK_MEMORY_TYPE
different type of memory addresses
DEBUGGER_ERROR_INVALID_PHYSICAL_ADDRESS
#define DEBUGGER_ERROR_INVALID_PHYSICAL_ADDRESS
error, invalid physical address
Definition ErrorCodes.h:540
_DEBUGGER_EVENT_OPTIONS::OptionalParam2
UINT64 OptionalParam2
Definition Events.h:273
_DEBUGGER_EVENT_OPTIONS::OptionalParam3
UINT64 OptionalParam3
Definition Events.h:274

◆ ValidateEventTrapExec()

BOOLEAN ValidateEventTrapExec ( PDEBUGGER_GENERAL_EVENT_DETAIL EventDetails,
PDEBUGGER_EVENT_AND_ACTION_RESULT ResultsToReturn,
BOOLEAN InputFromVmxRoot )

Validating trap exec events.

Parameters
EventThe created event object
ResultsToReturnResult buffer that should be returned to the user-mode
InputFromVmxRootWhether the input comes from VMX root-mode or IOCTL
Returns
BOOLEAN
216{
217 UNREFERENCED_PARAMETER(InputFromVmxRoot);
218
219 //
220 // Check if the execution mode is valid or not
221 //
222 if (EventDetails->Options.OptionalParam1 != DEBUGGER_EVENT_MODE_TYPE_USER_MODE &&
223 EventDetails->Options.OptionalParam1 != DEBUGGER_EVENT_MODE_TYPE_KERNEL_MODE &&
224 EventDetails->Options.OptionalParam1 != DEBUGGER_EVENT_MODE_TYPE_USER_MODE_AND_KERNEL_MODE)
225 {
226 //
227 // The execution mode is not correctly applied
228 //
229 ResultsToReturn->IsSuccessful = FALSE;
230 ResultsToReturn->Error = DEBUGGER_ERROR_MODE_EXECUTION_IS_INVALID;
231 return FALSE;
232 }
233
234 //
235 // The event parameters are valid at this stage
236 //
237 return TRUE;
238}
DEBUGGER_ERROR_MODE_EXECUTION_IS_INVALID
#define DEBUGGER_ERROR_MODE_EXECUTION_IS_INVALID
error, the execution mode is incorrect
Definition ErrorCodes.h:423
DEBUGGER_EVENT_MODE_TYPE_KERNEL_MODE
@ DEBUGGER_EVENT_MODE_TYPE_KERNEL_MODE
Definition Events.h:207
DEBUGGER_EVENT_MODE_TYPE_USER_MODE_AND_KERNEL_MODE
@ DEBUGGER_EVENT_MODE_TYPE_USER_MODE_AND_KERNEL_MODE
Definition Events.h:205
DEBUGGER_EVENT_MODE_TYPE_USER_MODE
@ DEBUGGER_EVENT_MODE_TYPE_USER_MODE
Definition Events.h:206